Cyber Resilience

CVE-2021-47639

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47639 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47639 is a use-after-free vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically the x86/mmu component using the TDP (Two-Dimensional Paging) MMU. The issue arises because the TDP MMU fails to zap both valid and invalid roots when unmapping a guest physical frame number (gfn) range during mmu_notifier callbacks. This violates the requirement that KVM must hold no references to freed pages after the unmap operation completes, leading to potential use-after-free errors, as exemplified by kernel warnings in functions like kvm_is_zone_device_pfn during zap operations triggered by events such as set_nx_huge_pages or memslot updates.

A local attacker with low privileges (PR:L) on a host running a vulnerable Linux kernel with KVM enabled can exploit this vulnerability, requiring low attack complexity and no user interaction. Exploitation occurs through collisions between mmu_notifier operations like kvm_mmu_notifier_invalidate_range_start, kvm_mmu_notifier_release, and other KVM activities such as invalid root zapping or SPTE (Shadow Page Table Entry) handling via kvm_set_pfn_dirty. Successful exploitation can result in high impacts on confidentiality, integrity, and availability (CVSS 7.8), including kernel crashes as shown in the provided stack trace or more severe memory corruption.

The referenced kernel patches address the vulnerability by modifying the TDP MMU to zap all roots—both valid and invalid—during gfn range unmapping in mmu_notifier callbacks. Key commits include 0c8a8da182d4333d9bbb9131d765145568c847b2, 8cf6f98ab1d16d5e607635a0c21c4231eb15367e, af47248407c0c5ae52a752af1ab5ce5b0db91502, and d62007edf01f5c11f75d0f4b1e538fc52a5b1982, available in stable kernel trees. Security practitioners should update to kernels incorporating these fixes to mitigate the issue.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU Zap both valid and invalid roots when zapping/unmapping a gfn range, as KVM must ensure it holds no…

more

references to the freed page after returning from the unmap operation. Most notably, the TDP MMU doesn't zap invalid roots in mmu_notifier callbacks. This leads to use-after-free and other issues if the mmu_notifier runs to completion while an invalid root zapper yields as KVM fails to honor the requirement that there must be _no_ references to the page after the mmu_notifier returns. The bug is most easily reproduced by hacking KVM to cause a collision between set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug exists between kvm_mmu_notifier_invalidate_range_start() and memslot updates as well. Invalidating a root ensures pages aren't accessible by the guest, and KVM won't read or write page data itself, but KVM will trigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing a zap of an invalid root _after_ the mmu_notifier returns is fatal. WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm] RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm] Call Trace: <TASK> kvm_set_pfn_dirty+0xa8/0xe0 [kvm] __handle_changed_spte+0x2ab/0x5e0 [kvm] __handle_changed_spte+0x2ab/0x5e0 [kvm] __handle_changed_spte+0x2ab/0x5e0 [kvm] zap_gfn_range+0x1f3/0x310 [kvm] kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm] kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm] set_nx_huge_pages+0xb4/0x190 [kvm] param_attr_store+0x70/0x100 module_attr_store+0x19/0x30 kernfs_fop_write_iter+0x119/0x1b0 new_sync_write+0x11c/0x1b0 vfs_write+0x1cc/0x270 ksys_write+0x5f/0xe0 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae </TASK>

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Use-after-free in host KVM kernel code directly enables local kernel memory corruption or code execution for privilege escalation from low-privileged host account.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.13 — 5.15.33 · 5.16 — 5.16.19 · 5.17 — 5.17.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the use-after-free flaw in KVM TDP MMU by applying specific Linux kernel patches that zap all roots during gfn unmapping.

detect

Vulnerability scanning identifies Linux kernel versions vulnerable to CVE-2021-47639 in KVM mmu_notifier operations, enabling targeted patching.

prevent

Kernel memory protections such as SMAP and KASLR mitigate exploitation of the use-after-free in KVM by restricting unauthorized memory access post-free.

References